Ursnif Variant Using Thread Local Storage Callbacks for Process Injection
A new variant of the Ursnif (AKA Gozi) banking trojan has been observed using Thread Local Storage callbacks to inject itself into other processes.
Thread Local Storage is a mechanism that allows for non-stack data objects to be defined as variables on a per-thread basis. Within this mechanism, callback functions are used to initialise and terminate these data objects prior to a process being executed. An attacker may exploit this function to insert new objects before a legitimate process so that they can replace its content with their own code. This is a relatively underused method for process injection and as the exploit occurs before process execution, can be difficult to detect.
Ursnif is distributed via spam campaign with a .zip file containing a malicious JavaScript file as a dropper. Once installed it uses these callbacks to inject itself into a svchost.exe instance, where it will then attempt to collect credentials, log keystrokes and monitor search and file histories.
Ursnif variants allow unauthorized access to an affected machine. The trojan variant connects to a remote host with the trojan version information. If a newer version of the trojan is available from the remote host, it removes any currently running versions of the trojan before installing an updated version of itself.
Command & Control Servers – To Block
-
-
3rdpart2.ru
-
invasionusurp.co.cc
-
legislationname.co.cc
-
necessaryprote.co.cc
-
newlinecinema130.ru
-
Possible Indicators of Compromise
Filename :YourMYOBSupply_Order.zip
MD5 : f6ee68d03f3958785fce45a1b4f590b4
SHA256 : 772bc1ae314dcea525789bc7dc5b41f2d4358b755ec221d783ca79b5555f22ce
Filename : YourMYOBSupply_Order.js
MD5 : c9f18579a269b8c28684b827079be52b
SHA256 : 9f7413a57595ffe33ca320df26231d30a521596ef47fb3e3ed54af1a95609132
Filename : download[1].aspx
MD5 : 13794d1d8e87c69119237256ef068043
SHA256 : e498b56833da8c0170ffba4b8bcd04f85b99f9c892e20712d6c8e3ff711fa66c
Affected Platforms
Microsoft Windows – All Versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.